使用 ws+tls1.3+nginx 模式的 v2ray 服务端部署和优化

已经连续4年使用 shadowsocks-libev 进行科学上网,终于在2020年初终于换成了 V2Ray 作为科学上网的服务端,且使用 WebSocket+TLS+Web 模式,将整个记录下来作为安装指南。以下操作全部基于 KVM 虚拟的 Debian 10 系统,重新安装的纯净系统且以 root 用户登录系统

1. 必要准备

重新安装系统

按照文章《通过网络安装全新的 Debian 10 Buster》 重新安装纯净的 Debian 10 系统,并作相关必要配置。

字符集优化

1.编辑 vi 配置文件 vi /etc/vim/vimrc.tiny
修改并增加其中2行

set nocompatible
set backspace=2

2.设置字符集 vi .vimrc
输入以下内容

set fileencodings=utf-8,gb2312,gb18030,gbk,ucs-bom,cp936,latin1
set enc=utf8
set fencs=utf8,gbk,gb2312,gb18030
set nocompatible
set backspace=2

2. 安装 V2Ray 服务端,WebSocket+TLS+Web 模式

1.使用社区维护的脚本 fhs-install-v2ray 安装

apt install build-essential -y
bash <(curl https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

相关文件自动安装为

installed: /usr/local/bin/v2ray
installed: /usr/local/bin/v2ctl
installed: /usr/local/lib/v2ray/geoip.dat
installed: /usr/local/lib/v2ray/geosite.dat
installed: /usr/local/etc/v2ray/00_log.json
installed: /usr/local/etc/v2ray/01_api.json
installed: /usr/local/etc/v2ray/02_dns.json
installed: /usr/local/etc/v2ray/03_routing.json
installed: /usr/local/etc/v2ray/04_policy.json
installed: /usr/local/etc/v2ray/05_inbounds.json
installed: /usr/local/etc/v2ray/06_outbounds.json
installed: /usr/local/etc/v2ray/07_transport.json
installed: /usr/local/etc/v2ray/08_stats.json
installed: /usr/local/etc/v2ray/09_reverse.json
installed: /var/log/v2ray/
installed: /etc/systemd/system/v2ray.service
installed: /etc/systemd/system/v2ray@.service

2.编辑配置文件:
这里使用单文件配置 vi /usr/local/etc/v2ray/config.json

3.写入以下配置文件,根据具体情况(主要有2处)自行修改:

{
  "log": {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "warning"
  },
  "inbounds": [{
    "port": 10000,   //修改为自己的端口号
    "listen":"127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
          "level": 1,
          "alterId": 16
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/v2ray"   //修改为自己需要的路径
       }
      }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }],
  "routing": {
    "rules": [
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "blocked"
      }
    ]
  }
}

该配置文件,在服务端仅部署了 vmess 协议,请根据自身具体情况自行修改。
注意:其中日志log位于 /var/log/v2ray/ 文件夹下,分别为
"access": "/var/log/v2ray/access.log"
"error": "/var/log/v2ray/error.log"
修改日志文件的用户和组权限 chown -R nobody:nogroup /var/log/v2ray/*

4.Nginx 配置
把配置中使用的是 domain.com域名证书 替换成自己的。

server {
    listen 80;
    listen [::]:80;
    server_name domain.com;
    return 301 https://domain.com$request_uri;
    location /nginx_status {
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com;
    root /data/wwwroot/default;
    index index.html;
    access_log /data/wwwlogs/domain.com_nginx.log combined;
    error_log /data/wwwlogs/domain.com_nginx_error.log error;

    ssl_certificate /usr/local/nginx/conf/ssl/domain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/domain.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/root.crt;
    resolver 8.8.8.8 1.1.1.1 valid=60s;
    resolver_timeout 60s;

    location /v2ray {   //注意此处的路径和上面的配置一致
      if ($http_upgrade != "websocket") {
          return 404;
      }
      proxy_redirect off;
      proxy_pass http://127.0.0.1:10000;    //注意此处的端口和上面的配置一致
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /nginx_status {
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}

5.启动服务

service nginx reload
systemctl enable v2ray
systemctl start v2ray

3. 相关优化

优化内核参数

编辑 vi /etc/sysctl.conf 输入以下内容:

fs.file-max = 1024000
fs.inotify.max_user_instances = 8192
net.core.default_qdisc=fq
net.core.netdev_max_backlog = 262144
net.core.rmem_default = 8388608
net.core.rmem_max = 67108864
net.core.somaxconn = 65535
net.core.wmem_default = 8388608
net.core.wmem_max = 67108864
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 10240 65000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_congestion_control = hybla
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 65536
net.ipv4.tcp_max_tw_buckets = 60000
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 4096 65536 67108864
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.nf_conntrack_max = 6553500

保存生效 sysctl -p

其中第十三行:net.ipv4.tcp_congestion_control = hybla
hybla 适用于高延迟网络(如美国,欧洲等)
htcp 适用于低延迟的网络(如日本,香港等)

开启 TCP BBR 拥塞控制算法

该算法目的是要尽量跑满带宽,并且尽量不要有排队的情况。
查看系统信息 uname -a,查看内核 uname -r

执行

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
保存生效
sysctl -p

检查是否开启算法

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
返回值一般为:
net.ipv4.tcp_available_congestion_control = bbr hybla cubic reno
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq

执行 lsmod | grep bbr
返回值有 tcp_bbr 模块即说明 bbr 已启动。

其他优化

1.修改 vi /etc/rc.local 文件,开机自动加载一遍内核参数
exit 0 前一行加入 sysctl -p

2.修改 vi /etc/profile 文件,加入
ulimit -SHn 1024000
然后 重启服务器 执行 ulimit -n,查询返回为 1024000 即可

3.修改 vi /etc/security/limits.conf 文件中以下内容为:

* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
root soft nproc 1000000
root hard nproc 1000000
root soft nofile 1000000
root hard nofile 1000000

4.修改 vi /etc/pam.d/common-session 文件,加入
session required pam_limits.so

参考:下载安装, WebSocket+TLS+Web

标签: Debian

发表评论: